A buffer is a contiguous area of computer memory that can hold multiple instances of the same data type. Buffers can be stacks (automatic variables), heaps (dynamic memory), and static data areas (global or static). In C + + languages, buffers are typically implemented using memory allocation functions such as character arrays and malloc/new. The overflow index is added outside the memory block that is allocated to the buffer. Buffer overflow is the most common program flaw.
The introduction of stack frame structure provides direct hardware support for implementing functions or procedure calls in high-level languages, but it also poses a hidden danger to system security because important data such as function return address is stored in the programmer's visible stack. If the function return address is modified to point to a carefully arranged malicious code, the purpose of endangering the system security can be achieved. In addition, the correct recovery of the stack depends on the correctness of the EBP value of the pressure stack, but ebp domain adjacent to local variables, if the programming intentionally or unintentionally through the local variable address offset to tamper with the EBP value, then the behavior of the program will become very dangerous.
Because of the absence of array-crossing checking mechanisms in the C + + language, a buffer overflow occurs when the data written to the local array buffer exceeds the size allocated for it. An attacker can use a buffer overflow to tamper with the process runtime stack, thereby altering the normal flow of the program, which causes the program to crash, and the heavy system privilege to be stolen.
For example, for the stack structure of the following illustration:
If you assign a 16-byte string to a ACARRBUF array, the system starts to populate the stack space from acarrbuf[0 to the high address, resulting in overwriting the EBP value and function return address. If an attacker overwrites the contents of the return address with a meaningful address (or a segment error), the function returns to execute the attack code that was arranged in advance at that address. The most common means of making a program run a user shell by making a buffer overflow, and then executing other commands through the shell. If the program has root or suid Execute permissions, the attacker will get a shell with root privileges, which can be used to do any operation on the system.
In addition to changing the return address by making a stack buffer overflow, you can also overwrite local variables (especially function pointers) to exploit buffer overflow defects.
Note that the stack buffer overflow described in this article differs from the generalized "stack Overflow (stack OverFlow)", which, in addition to the bounds of the local array and memory overlay, may also be caused by too many call hierarchies (in particular, recursive functions) or too large local variables. 2 buffer Overflow instance
This section provides an example of a number of buffer overflow related procedures. The first three examples are manual modifications to return addresses or arguments, and the latter two examples are local array access and buffer overflow. More in-depth buffer overflow attacks see the relevant information.
The example function must contain the STDIO.H header file and include the string.h header file (such as the strcpy function) on demand.
"Example 1" Changes the return address of a function so that it returns to a specified instruction position instead of the position immediately following the function call. The implementation principle is to modify the return address in the function body to find the location of the return address and modify it. The code is as follows:
1//foo.c
2 void foo (void) {
3 int A, *p;
4 p = (int*) ((char *) &a +); Let P point to the return address of the stack when the main function calls Foo, equivalent to P = (int*) (&a + 3);
5 *p + +; Modify the value of the address so that it points to the starting address of a directive
6}
7 int main (void) {
8 foo ();
9 printf ("The call\n"); printf ("Second printf call\n");
return 0;
12}Compile run, result output second printf call, no output of the A-i-printf call.
The following is a detailed description of the origins of the two 12 in the code.
After compiling (gcc main.c–g) and disassembly (Objdump a.out–d), the assembly code fragment is as follows:
From the above assembly code, it is known that the instruction address behind Foo (that is, the return address pressed in when Foo is invoked) is 0X80483B8, and the address of the instruction to invoke printf ("Second printf call") is 0X80483C4. The difference is 12, so the value of the return address plus 12 can be (*p + + 12).
Directive <804838a> assigns the address of -8 (%EBP) to the%eax Register (p = &a). The variable A in the Foo () function is stored on the -8 (%EBP) address, and the address is 8+4=12 up to the return address ((char *) &a + 12). Modifying this address content (*p + + 12) enables you to jump to the second printf function call when the function call ends.
Use GDB to view the value (%ESP) of the top of the stack when the assembly instruction just entered Foo, as follows:
The visible%esp value is indeed the address of the next order to be executed in main after Foo is invoked, and the code modifies that value. %eip points to the directive address of the current program (foo).
"Sample 2" temporarily runaway the return address of the function to modify its value so that the function returns to the address of the Detour function, and the Detour function attempts to return to the main function by returning the previously saved address. The code is as follows:
1//runaway.c
2 int gprevret = 0;//Save function return address
3 void detour (void) {
4 int *p = (int*) &p + 2; P points to the return address of the function
5 *p = Gprevret;
6 printf ("Run away!\n");//require a carriage return, or fflush (stdout) after printing; refresh the buffer, or you may not be able to output
7}
8 int runaway (void) {
9 on a segment error int *p = (int*) &p + 2;
Ten Gprevret = *p;
One *p = (int) detour;
return 0;
'
int main (void) { runaway (); printf ("Come home!\n");
return 0;
18}Compile run after output:
Run away! Come home! Run away! Come home! Segmentation fault |
A segment error occurred after running. There must be something wrong. The reason for the error is left to the reader to think about, and here's another version of the code that gets the return address (instead of estimating the stack frame structure) with the assembly.
1 register void *gebp __asm__ ("%ebp");
2 void Detour (void) {
3 * ((int *) GEBP + 1) = Gprevret;
4 printf ("Run away!\n");
5}
6 int runaway (void) {
7 gprevret = * (int *) GEBP + 1);
8 * (int *) GEBP + 1) = detour;
9 return 0;
10}"Example 3" modifies the melody function pointer variable within the called function, causing the program to crash when the pointer is subsequently accessed. The code is as follows:
1//crasher.c 2 typedef struct{3 int member1;
4 int member2;
5}t_strt;
6 T_strt gtteststrt = {0};
7 register void *gebp __asm__ ("%EBP"); 8 9 void Crasher (T_strt *ptstrt) {f ("[%s]: EBP =%p (0x%08x) \ n", __function__, GEBP, * ((int*) gebp)); 11
printf ("[%s]: PTSTRT =%p (%p) \ n", __function__, &PTSTRT, PTSTRT);
printf ("[%s]: (1) =%p (0x%08x) \ n", __function__, ((int*) &ptstrt-2), * ((int*) &ptstrt-2)); Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
